For more than a year and a half, the Mexican government has been collecting an unprecedented amount of biometric data from minors ages 4 to 17 as part of a youth ID card program. The Personal Identity Card for minors, a document authorities say is intended to help streamline registration in schools and health facilities, comes embedded with digital records of iris images, fingerprints, a photograph, and a signature for each minor.

Documents obtained by EFF under Mexico’s Transparency and Access to Information Act show that as of this past May, nearly 4 million minors had been enrolled into registries associated with the new ID. Public records also revealed that more than 1.2 million ID cards had been issued in the states of Baja California, Baja California South, Colima, Chiapas, Distrito Federal, Guanajuato, Jalisco, Sinaloa, and Morelos. Of those who were issued cards, 1,345 had to go through the registration process again because the quality of their biometric data was inadequate for identification.

The ID card project is part of the integration of Mexico’s National Population Register (RENAPO), which is intended to provide a unique identity system to conclusively prove identities of all Mexican citizens. Under the program, the Ministry of the Interior will issue Citizen Identity Cards and Personal Identity Cards containing biometric information, first to youth, and later extending to Mexico’s entire adult population.

Since July of 2009, when President Felipe Calderón officially announced the creation of RENAPO, numerous observers have sounded the alarm that the endeavor violates individuals' privacy rights. Despite serious concerns raised by a governmental accountability agency and a special commission tasked with studying the program, in January of 2011 Mexico nevertheless became the first country in the world to use iris scans as a component of ID cards.

Mexico’s Secretary of Government (SEGOB) claims that the use of iris recognition, along with other biometric data, serves to combat crime such as human trafficking and to streamline registration and enrollment procedures in schools and health care programs. In official statements, SEGOB claims that "it is a free, official document containing biometrics that make it impossible to forge.” Although Mexican authorities argue that the new document will be 99 percent reliable and “one of the safest in the world,” security researchers have shown otherwise, recently demonstrating security flaws even in ostensibly trustworthy iris scanners.

In April of 2010, The Federal Institute for Access to Public Information (IFAI), an autonomous organization established by Mexico’s freedom of information law to promote a new regime of government transparency, issued a 91-page report outlining the problems associated with such biometric IDs, putting forward several alternative recommendations. The IFAI concluded that requiring just one fingerprint would yield a 99 percent reliability rate, and that the collection of any additional biometric data is wholly unnecessary. The report was also critical of the fact that there are currently no legal protections regulating the use of iris images in Mexico.

IFAI ultimately recommended that Mexico remove some of the biometric data on the new ID cards by gradually reducing the amount of data required. The report argued that capturing the image of both irises, plus ten fingertips, was not proportional to the stated objective of the program. IFAI further concluded that any biometric ID system should be subjected to periodic third-party verifications of the collection, storage, and use of biometric data. Aside from these concerns, IFAI cited huge costs of the project, a lack of transparency in the bidding process, and the risks the program poses to the right to privacy.

Another important voice of dissent also emerged in April 2010, when a special Commission of the Parliament was created to review the development of the ID card. One of the commission’s first measures, which was later ignored by the government, was to call for temporarily halting the implementation of the ID to encourage further research and to include the perspectives of more stakeholders in the process. Significantly, the commission noted that there were no “necessary measures related to data protection [or] transparency ... This means that until we have all the elements in place, it is terrible that the project continues.”

The Commission also seized upon the risk of duplication, as the original idea behind the program was to use this ID to gradually replace the current electoral card, which is presented for voting.

Vanessa Lara Carmona, a professor from the Autonomous University of Mexico (UAEM) who conducted research in tandem with the Latin American Network of Surveillance, Technology and Society Studies, concluded that the ID card for minors would not solve the problem of human trafficking in Mexico—one of its officially stated purposes.Carmona also noted that criticism of a lack of security around the data was the reason why the national ID was not being initially implemented for the entire population, as originally intended.

Despite this serious criticism, the project is still going forward. According to SEGOB, the government’s goal is to issue almost 4.5 million IDs by the end of the year, continuing the collection of massive amounts of biometric data. The next step of the project, expected to unfold in 2013, is to extend the ID cards to adults.

Meanwhile, researchers and government accountability agencies aren’t the only ones raising concerns about Mexico’s biometric ID card policy. A group from a Mexico-based hacker collective that runs public workshops promoting the use of free software for technological autonomy and activism also weighed in to express concerns about what the ID cards mean for Mexico.

“At Hacklab Autonomo, we think that all people should have the choice of whether or not to participate in a database that describes them,” the collective members wrote in a statement sent to EFF. “We are against the growing tendency in our society to monitor, and the way in which this monitoring classifies and discriminates against others and ourselves. We believe that access to technology should be free and we want people to exercise their technological autonomy. When you start the collection of biometric data with the kids and casual laborers, the Mexican government is taking advantage of the defenseless and people in precarious situations as they strive to achieve their goals. … The question is not only what will the Mexican government do with this information, but also, who will they sell it to this time?”

Related Updates

Last month, 360 cyber crime experts from 95 countries gathered in Strasbourg to attend the Octopus Conference. The event sounds like something from James Bond, and when you look at the attendee list—which includes senior figures from the United States Department of Justice, national police forces across the...

When she went to Egypt for vacation, Mona el-Mazbouh surely didn’t expect to end up in prison. But after the 24-year-old Lebanese tourist posted a video in which she complained of sexual harassment—calling Egypt a lowly, dirty country and its citizens “pimps and prostitutes”—el-Mazbouh was arrested at Cairo’s airport and...

Against all the odds, but with the support of nearly a million Europeans, MEPs voted earlier this month to reject the EU's proposed copyright reform—including controversial proposals to create a new "snippet" right for news publishers, and mandatory copyright filters for sites that published user uploaded content. The...

The hope that filled Egypt's Internet after the 2011 January 25 uprising has long since faded away. In recent years, the country's military government has instead created a digital dystopia, pushing once-thriving political and journalism communities into closed spaces or offline, blocking dozens of websites, and arresting a...

As we reported last week, JURI, the key European Parliamentary committee working on copyright reform, voted on June 20th to support compulsory copyright filters for media platforms (Article 13), and to create a new requirement on websites to obtain a license before linking to news stories (...

“YouTube keeps deleting evidence of Syrian chemical weapon attacks” “Azerbaijani faces terrorist propaganda charge in Georgia for anti-Armenian Facebook post” “Medium Just Took Down A Post It Says Doxed ICE Employees” These are just a sampling of recent headlines relating to the regulation of user-generated online content, an increasingly controversial...

Vint Cerf, Tim Berners-Lee, and Dozens of Other Computing Experts Oppose Article 13 As Europe's latest copyright proposal heads to a critical vote on June 20-21, more than 70 Internet and computing luminaries have spoken out against a dangerous provision, Article 13, that would require Internet platforms to automatically...

The pending update to the EU Copyright Directive is coming up for a committee vote on June 20 or 21 and a parliamentary vote either in early July or late September. While the directive fixes some longstanding problems with EU rules, it creates much, much larger ones: problems so big...

Update: On June 5, 2018, authorities extended Abbas' detention for another fifteen days. We will continue to post updates on his plight here.When we wrote of award-winning journalist Wael Abbas being silenced by social media platforms in February, we never suspected that those suspensions would reach beyond the...

Anyone looking at their inbox in the last few months might think that the Internet companies have collectively returned from a term-of-service writers' retreat. Company after company seem to have simultaneously decided that your privacy is tremendously important to them, and collectively beg you take a look at their updated...